nixos/nextcloud: use LoadCredential to read secrets

This patch adds support for using systemd's LoadCredential
feature to read various secret files used by nextcloud service
units.

Previously credentials had to be readable by the nextcloud user,
this is now no longer required.

The nextcloud-occ wrapper script has been adjusted to use
systemd-run for loading credentials when being called from
outside a service.

In detail this change touches various details of the module:

- The nix_read_secret() php function now takes the name of a
  file relative to the path specified in the CREDENTIALS_DIRECTORY
  environment variable.
- The nix_read_secret() now exits with error code 1 instead of
  throwing a RuntimeException as this will properly error out
  the nextcloud-occ script
- Only the nextcloud-setup service unit has the adminpass credential
  added in addition to the other credentials
- Uses of ExecCondition= in nextcloud-cron and nextcloud-update-db
  have been replaced by a shell conditional as ExecCondition currently
  doesn't support credentials
- The phpfpm-nextcloud service now runs a preStart script to make
  the credentials it gets readable by the nextcloud user as the
  unit runs as root but the php process itself as nextcloud.
- To invoke occ notify_push:setup when using nextcloud notify_push
  a new service has been added that replaces the preStart script
  in nextcloud-notify_push.service. This has been done as the
  main executable only needs the database password credential.

Co-authored-by: lassulus <lassulus@lassul.us>

0 files changed, 0 insertions, 0 deletions